The worst thing that organizations can do is take a hard stance with their cybersecurity efforts. The digital threat landscape is constantly evolving. If organizations settle into a viewpoint, they could elevate one source of risk into something unrealistic—all while missing other digital threats.

This reflects just how much assumptions drive cybersecurity-related decisions. Forbes put it this way: “Risk assessment, budgetary needs and priorities are the outcome of hypothetical debates and are subject to internal pressures and politics. Both security professionals and business executives continuously seek solutions or methodologies that will put a $ sign next to their investment, as well as risk.”

Subsequently, it’s not a surprise that there are some open questions in cybersecurity around where organizations can take their strategies in the next few years. Here’s a recap of five open questions that are currently shaping the cybersecurity space and how we are seeing these addressed in the industry.

1. Do Passwords Do More Harm than Good?

Technology firms like Microsoft are abandoning the password for three reasons. First, they’re looking to Single Sign-On (SSO) and other technologies that don’t hamper their workers’ experience and productivity as much as traditional password-based identity protection. Second, passwordless authentication makes it easier for organizations to defend their authorized accounts against brute-forcing, credential stuffing and other attack attempts that rely on guessing weak passwords. Third, organizations are choosing to embrace multi-factor authentication (MFA) and other controls as a way of limiting what a malicious actor could do with a compromised password.

But there are risks involved with implementing passwordless authentication. For instance, fingerprint readers, biometric scanners and other security measures provide new targets that attackers can potentially misuse to access user data. Passwordless authentication also does not exempt organizations and users from phishing attacks, scams and identity theft.

Notwithstanding those risks, passwordless authentication is here to stay. Organizations, therefore, need to understand its associated benefits and risks so that they can best protect their users going forward.

2. Do Firewalls Serve Any Purpose for Zero Trust?

The answer is nuanced. Traditional firewalls can’t protect organizations against threats that infiltrate the network. As such, they can’t help organizations uphold zero trust.

But the same doesn’t apply to next-generation firewalls (NGFWs). These types of firewalls can complement zero trust by functioning as segmentation gateways, multifaceted tools which leverage network access tools, micro-segmentation, web application firewalls and other functionalities to enforce zero trust. Segmentation gateways operate at the center of the network, not at the perimeter. In doing so, they provide insight into data access that infosec teams can use to spot a potential attack before it evolves into a security incident.

3. Can Cyber Ranges Help Organizations?

Demand for cyber ranges increased after organizations shifted to remote/hybrid work in 2020 and following high-profile attacks like the Colonial Pipeline incident. It’s important to keep in mind that not every organization needs a cyber range on a long-term basis. Some just can’t justify the cost of building and maintaining one.

That said, cyber ranges do carry benefits. They provide a means through which organizations can improve the level of coordination and experience of their security teams, for instance. Through cyber ranges, infosec personnel can immerse themselves in real attack scenarios and explore what a live response would entail. Cyber ranges also help organizations to satisfy the compliance standards and mandates established by the National Institute of Standards and Technology (NIST) and other bodies.

Organizations just need to remember that not every cyber range is created equally. With that in mind, they need to figure out which type of cyber range fits their security needs. From there, they can build and maintain a solution that works for them.

4. Is a Traditional Career Path Required for Security Pros?

Not even a little bit. Infosec personnel come from all types of backgrounds such as playing poker online, serving in the military and obtaining music degrees. These experiences have helped to inform security professionals’ work, giving the community fresh perspectives with which they can protect organizations’ systems and data. This is to say that anyone can forge a career in cybersecurity.

5. What Can Developers Do to Ensure Their Organization’s Security?

There’s a lack of cohesion around who’s responsible for security. Many security professionals don’t trust the ability of developers to write secure code, for instance. Meanwhile, developers don’t feel they have the proper guidance to uphold security for their employers.

These viewpoints underscore a lack of clarity around digital defense in the workplace. In a recent survey conducted by GitLab, for instance, about a third of security personnel said that they were responsible for security. Nearly three in 10 participants said everyone in the organization was equally responsible, while 21% said the onus was on developers specifically.

Clearly, something needs to be done. Most developers are releasing software and apps more quickly today than they did just a few years ago. This highlights the opportunity for developers to play a role in contributing to their organization’s security.

The key is for security experts and developers to work together as partners for the purpose of achieving secure code. One of the ways they can do that is to expose the services they provide through a seamless API consumption-based model. Doing so will make it easier for developers to blend security naturally into the software development life cycle.

Additionally, organizations can make sure that they’re providing security awareness training to their developers. These employees won’t be able to function as a full partner in DevSecOps unless they understand the security risks confronting them. With that in mind, organizations need to approach DevSecOps as an opportunity to foster a collaborative and inclusive security culture.

Cybersecurity Is Always Changing

The questions discussed above might not be open or debatable several years from now, but they give something for organizations to consider in the meantime. Fortunately, the security industry is a community. As such, we’ll continue to explore these issues as a community going forward.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…